Patching The Heartbleed OpenSSL Vulnerability

Security Researchers have discovered a very serious vulnerability in the OpenSSL library that is used to power HTTPS on most websites. Many news sources are now covering the story, and we recommend reading their articles to understand the scope of what is happening and the impact of the threat:

To summarize: It is big. It allows an attacker to extract information that was supposed to be private, including SSL private keys themselves. ArsTechnica explains it well:

The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

The Tor team summarizes their recommendation by saying, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”.

What Should I do as a WebMaster?

If you own a website, you must do your part and patch your operating system. If it is a dedicated server, it is your responsibility. If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers. To update your server with the patch follow these step by step directions:

1- Check if your site is vulnerable

We first recommend that you check your site on this page to see if it is vulnerable. If it is, keep reading to see what you need to do.

2a- Patching Ubuntu/Debian dedicated servers

If you run Ubuntu or Debian on a VPS or dedicated server, you will likely need to patch it yourself. A quick way to do that is by updating all packages on your operating system with the following command:

sudo apt-get update
sudo apt-get upgrade

Then restart Apache.

2b- Patching RedHat/CentOS/Fedora and most cPanel dedicated servers

If you run any RedHat-based server, you can patch your server by running:

yum update

Once all packages are updated, you should see inside /var/log/yum.log that OpenSSL was fixed:

Once that is done, you need to restart Apache for the fix to take effect.

2c- Other servers

If you are on a shared host, you can’t do anything. You’ll need to contact your hosting company and wait for them to run the patch for you.

If you are using any other Linux (or BSD) distribution on a dedicated server, you need to follow their steps to update OpenSSL.

3- Restart Apache

Do not forget to restart Apache (or Nginx). We are seeing many patched servers still vulnerable because they forgot this simple step.

4- Generate new certificates

This vulnerability was just disclosed a day ago, but it is possible that a malicious party has known about it for longer than that. If you run a popular web site or take confidential information, you might want to generate new certificates and encryption keys just to be on the safe side.

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

Thanks for spreading the wotd Daniel
I’ve just contacted my hosting provider and I’ll send him a link to this post.

I’d love to go with the Cloudproxy for 8 of my sites, are you doing any deals?
If you aren’t, now might be a good time to think about it.

Daniel Cid

Hi Keith,

Send me an email (dcid@sucuri.net) and we can talk about it.

Dave

Hi Daniel. I’m not sure how Cloudproxy could protect against such an attack. In fact, it would probably make it worse as the memory leak will affect all customers using that host. Can you please explain how you think Cloudproxy would protect customers against this vulnerability? If your running the vuln openssl, your owned – no WAF is going to save you.